Hi, an idea just submerged. If I update an ebuild, based on a security-fix, and it is still running (e.g. mysql) wouldn't it be nice to have a restart flag (a.la etc-update detection)?

When using a tool like glsa-check, installing the fix, but glsa-check would not report a vulnerability if the old service is still running, but the build is upgraded...?

This check would potentially be dependent on /proc or lsof or something, to be able to determine if the binary is running at upgrade time, or glsa-check could be fixed to check if the binary has run for longer than the mod-time of the binary itself? thus, detecting that a fix has been installed, but the service needs to be restarted?

Nice idea. But wouldn't it bloat stuff a lot? When you do a glsa update, YOU could just restart the service. Easy, uhn?

Yeah, offcourse, when running glsa-checks and updates, most would have their mind fixed for security and restart needed services.

But when someone makes an emerge update world, a lot of messages flashes by, I wouldn't put the check in the emerge process, but when the user then runs glsa-check later, after a critical service has been updated, there could be a check in glsa that somehow tries to verify that the running process is the current binary on disk... like "Warning: mysql has been updated, but not restarted, the running version is vulnerable to glsa-xx", I wouldn't mind more bloat in glsa-check, if that will help me keeping my systems secure.

I'm not sure if this is possible however, and there is some cases where this would be hard to detect, like updated libraries, etc...